Risk management, strategy and analysis from DeloitteCONTENT FROM OUR SPONSORPlease note: The Wall Street Journal News Department was not involved in the creation of the content below.

Text Size

Regular

Medium

Large

Google+

Print

Cybersecurity and the Boardroom

Not long ago, the term “cybersecurity” was not frequently heard or addressed in the boardroom. Cybersecurity was often referred to as an information technology (IT) risk, and management and oversight were the responsibility of the chief information or technology officer, not the board. With the rapid advancement of technology, cybersecurity has become an increasingly challenging risk that boards may need to address.

The report noted, “For the third time, the survey revealed that boards are not actively addressing cyber risk management… There is still a gap in understanding the linkage between IT risks and enterprise risk management. Boards still are not undertaking key oversight activities related to cyber risks, such as reviewing budgets, security program assessments and top-level policies; assigning roles and responsibilities for privacy and security; and receiving regular reports on breaches and IT risks.”

The risk of cyberattacks can directly affect both operations and the broader brand or reputation of a company, often resulting in significant financial repercussions. According to a 2012 Deloitte publication Risk Intelligent Governance in the Age of Cyberthreats, the median annualized cybercrime-related cost in 2011 was $5.9 million, which was a 56% increase over the prior year. A primary responsibility of the board is to provide risk oversight.

As discussed in the August 2013 Deloitte Audit Committee Brief, the audit committee is often delegated the task of overseeing the risk programs and policies, including cybersecurity. The trend has been for other committees to be delegated the task of overseeing risks associated with their areas of expertise. For example, risks to the compensation plan might be overseen by the compensation committee. Ultimately, however, the full board is accountable for risk oversight. In many instances, the committees are delegated the oversight of risk, however, the full board also discusses and continually monitors the most material risks and those for which the company is most vulnerable (i.e., where no controls exist to mitigate the risk). Typically when addressed, cybersecurity is a topic on the short list of risks and is typically discussed at the full board level rather than left solely with a committee.

Cybersecurity is a significant risk that can have a material impact. At least annually, boards should proactively ask questions of management, champion education and awareness programs company-wide, and treat risk as a priority. As cybersecurity issues increase and become more visible, boards may decide to take an active role in understanding the risks associated with those issues. Many boards hear from the chief information officer, chief technology officer or others who are tasked with monitoring the cyber risk. In addition, some company boards are engaging third-party specialists to speak with them about the risk, how to mitigate it and signs that may signal a breach. The full board take the necessary actions to stay informed on management’s risk practices so it can effectively oversee cybersecurity.

Robert Mueller, director of the Federal Bureau of Investigation, recently spoke on a panel about the future of cybersecurity, said cyber threats will eventually equal or eclipse the terrorist threat. “There are only two types of companies: those that have been hacked and those that will be,” Mueller said, adding that boards should ask themselves what type of company are they and what are they doing about it.

Looking Ahead

Cybersecurity is a becoming top-of-mind issue for most boards, and directors should consider becoming more preemptive in evaluating cybersecurity risk exposure as an enterprise-wide risk management issue and not limiting it to an IT concern. Following are questions boards can ask to help raise awareness of cybersecurity issues:

Is there someone on the board who serves as an IT expert and understands cyber risks?

Does the company have cyber insurance?

Is there a committee assigned to address cybersecurity?

Does the company have a chief security officer who reports outside of the IT organization?

Is social media a concern for our company?

Do the outsourced providers and contractors have controls and policies in place and do they align with our company’s expectations?

Is there an annual company-wide education or awareness campaign established around cybersecurity?

Fundamentally, the board plays a critical role in understanding the risks associated with cybersecurity and confirming that preventative and detective controls are in place.

About Deloitte Insights

Deloitte’s Insights for C-suite executives and board members provide information and resources to help address the challenges of managing risk for both value creation and protection, as well as increasing compliance requirements.

This copy is for your personal, non-commercial use only. Distribution and use of this material are governed by our Subscriber Agreement and by copyright law. For non-personal use or to order multiple copies, please contact Dow Jones Reprints at 1-800-843-0008 or visit www.djreprints.com.